Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal flaw in the SillyTavern chat endpoints using crafted requests that manipulate the avatar_url parameter with traversal sequences such as "..".

Example commands to test for the vulnerability include using curl to read or delete arbitrary files under the user data root by sending requests to the /api/chats/export and /api/chats/delete endpoints.

• To read a sensitive file (e.g., secrets.json): curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \ -d '{"avatar_url":"..","is_group":false,"file":"secrets.json","format":"jsonl","exportfilename":"x"}' \ http://TARGET:8000/api/chats/export
• To delete a sensitive file (e.g., settings.json): curl -b cookie.txt -H "x-csrf-token: $TOKEN" -H "content-type: application/json" \ -d '{"avatar_url":"..","chatfile":"settings.json"}' \ http://TARGET:8000/api/chats/delete

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including loss of confidentiality, integrity, and availability of user data.

• Confidentiality: Attackers can read sensitive files such as secrets.json, exposing private information.
• Integrity: Attackers can delete critical files like settings.json, potentially corrupting or altering user data.
• Availability: Deletion of important files can disrupt account functionality and availability of user data.

The risk is especially significant in multi-user or remotely accessible deployments where attackers have network access and low complexity is needed to exploit.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-34524 is a path traversal vulnerability in SillyTavern versions up to 1.16.0 that affects the chat export and delete endpoints. An authenticated attacker can manipulate the avatar_url parameter with path traversal sequences like ".." to read or delete arbitrary files within their user data root directory.

The vulnerability exists because input validation only blocks forward slashes and NUL bytes but does not block ".." segments, allowing attackers to escape the intended chat directory and access files outside it.

This flaw allows attackers to read sensitive files such as secrets.json and delete important files like settings.json by exploiting the way file paths are constructed in the application.

Authentication is required to exploit this vulnerability, and it was fixed in version 1.17.0 by improving input validation and path handling.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated attacker to read and delete arbitrary files within their user data root directory, including sensitive files such as secrets.json and settings.json.

This unauthorized access and modification of sensitive user data can lead to breaches of confidentiality and integrity, which are critical aspects of compliance with standards like GDPR and HIPAA.

Specifically, the exposure and potential deletion of sensitive configuration and secret files could result in violations of data protection requirements, potentially leading to unauthorized disclosure or loss of protected information.

Therefore, until patched, this vulnerability poses a significant risk to maintaining compliance with regulations that mandate strict controls over access to and protection of sensitive data.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade SillyTavern to version 1.17.0 or later, where the vulnerability has been patched by improving input validation and path handling.

Until the upgrade is applied, restrict access to the affected endpoints to trusted users only and monitor for suspicious activity involving the avatar_url parameter.

Useful 0 Not Useful 0